More Resources

DDoS Do's and Don'ts

The recent spate of Distributed Denial of Service attacks on such major Web
players as Amazon, CNN Interactive, Buy.com, eBay, and others has raised
consciousness of network security. While the attacks ravaged the giants of
e-business over the last week, they have also brought about an equal amount of awareness
that could reduce vulnerability to such attacks in the future.

Distributed Denial of Service (DDoS) attacks carry standard Denial of
Service (DoS) attacks a step further. DoS attacks involve massive bandwidth
consumption that prevents normal network traffic from being carried to and from
the targeted machines. The attacker will send repeated requests, or pings, to
the target machine with a spoofed IP address as the source. Often the spoofed
address will appear to be one from inside the target machine's network. The
flood of network requests shuts down normal network traffic. If the attack does
not shut down the network, often the ISP will shut down the network to all
traffic in order to weed out the attackers.

DDoS attacks involve the same sort of bandwidth flooding, but with requests
coming from, or appearing to come from, several sources rather than a single
source. Additionally, in a DDoS attack, the various sources of requests can be
remotely managed rather than directly managed by a user. Because the attacks
come from many sources, the network routers are slow to detect a DoS attack and
deflect the requests. The result is a downed network.

The recent attacks have led to the discoveries of new hacking software.
Trin00 and TFN are already well-known DDoS systems designed to implement an
attack. The recent discovery of the TFN2K and Stacheldracht systems helps to
explain, if not resolve, the rash of attacks. Both of the new hacker tools are
based on the TFN and Trin00 attacks. Both systems use remote client management
to send out packets from several machines simultaneously to the targets.

Despite their capacity for remote client management, Russ Cooper, owner and
administrator of the NT BugTraq (www.ntbugtraq.com)
mailing list and Web site, is not convinced the attacks originated from remote
clients. In a statement on the NT BugTraq Web site, Cooper says that because
the attacks occurred in "prime time," and the request packets
appeared to be sent at intervals that would be too distant to have been sent by
an automated remote system, the attacks originated from machines that were
actively manned by hackers.

No one had taken credit for the high-profile attacks as of today.

What can Windows NT/2000 and IIS users do to combat these attacks? Analyst
Dennis Szerszen of the Hurwitz Group (www.hurwitz.com)
says that while these types of attacks are mostly more Unix-oriented than
Windows-oriented because of their network nature, generally they are
OS-neutral, striking machines that are on the targeted networks regardless of
operating system. Carnegie Mellon University's CERT (www.cert.org) recommends a tool developed to
detect Trin00 and TFN on some systems, distributed by the FBI, and a Perl
script called "gag" which can detect Stacheldracht agents running on
the local network. -- Isaac Slepner